feat: Update cluster variable definitions; drop cluster_ prefix

bryantbiggs · bryantbiggs · commit ed296d125776 · 2025-04-27T13:28:27.000-05:00
diff --git a/examples/ec2-autoscaling/main.tf b/examples/ec2-autoscaling/main.tf
@@ -28,7 +28,7 @@ locals {
 module "ecs_cluster" {
   source = "../../modules/cluster"
 
-  cluster_name = local.name
+  name = local.name
 
   # Capacity provider - autoscaling groups
   default_capacity_provider_use_fargate = false
@@ -96,13 +96,12 @@ module "ecs_service" {
   }
 
   volume_configuration = {
-    ebs-volume = {
-      managed_ebs_volume = {
-        encrypted        = true
-        file_system_type = "xfs"
-        size_in_gb       = 5
-        volume_type      = "gp3"
-      }
+    name = "ebs-volume"
+    managed_ebs_volume = {
+      encrypted        = true
+      file_system_type = "xfs"
+      size_in_gb       = 5
+      volume_type      = "gp3"
     }
   }
 
@@ -162,11 +161,9 @@ module "ecs_service" {
   }
 
   subnet_ids = module.vpc.private_subnets
-  security_group_rules = {
+  security_group_ingress_rules = {
     alb_http_ingress = {
-      type                     = "ingress"
       from_port                = local.container_port
-      to_port                  = local.container_port
       protocol                 = "tcp"
       description              = "Service port"
       source_security_group_id = module.alb.security_group_id
diff --git a/examples/fargate/main.tf b/examples/fargate/main.tf
@@ -28,7 +28,7 @@ locals {
 module "ecs_cluster" {
   source = "../../modules/cluster"
 
-  cluster_name = local.name
+  name = local.name
 
   # Capacity provider
   fargate_capacity_providers = {
diff --git a/main.tf b/main.tf
@@ -8,10 +8,10 @@ module "cluster" {
   create = var.create
 
   # Cluster
-  cluster_name                     = var.cluster_name
-  cluster_configuration            = var.cluster_configuration
-  cluster_settings                 = var.cluster_settings
-  cluster_service_connect_defaults = var.cluster_service_connect_defaults
+  name                     = var.cluster_name
+  configuration            = var.cluster_configuration
+  settings                 = var.cluster_settings
+  service_connect_defaults = var.cluster_service_connect_defaults
 
   # Cluster Cloudwatch log group
   create_cloudwatch_log_group            = var.create_cloudwatch_log_group
diff --git a/modules/cluster/README.md b/modules/cluster/README.md
@@ -173,16 +173,16 @@ No modules.
 | <a name="input_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | Custom name of CloudWatch Log Group for ECS cluster | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events | `number` | `90` | no |
 | <a name="input_cloudwatch_log_group_tags"></a> [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | A map of additional tags to add to the log group created | `map(string)` | `{}` | no |
-| <a name="input_cluster_configuration"></a> [cluster\_configuration](#input\_cluster\_configuration) | The execute command configuration for the cluster | `any` | `{}` | no |
-| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster (up to 255 letters, numbers, hyphens, and underscores) | `string` | `""` | no |
-| <a name="input_cluster_service_connect_defaults"></a> [cluster\_service\_connect\_defaults](#input\_cluster\_service\_connect\_defaults) | Configures a default Service Connect namespace | `map(string)` | `{}` | no |
-| <a name="input_cluster_settings"></a> [cluster\_settings](#input\_cluster\_settings) | List of configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster | `any` | <pre>[<br/>  {<br/>    "name": "containerInsights",<br/>    "value": "enabled"<br/>  }<br/>]</pre> | no |
+| <a name="input_configuration"></a> [configuration](#input\_configuration) | The execute command configuration for the cluster | <pre>object({<br/>    execute_command_configuration = optional(object({<br/>      kms_key_id = optional(string)<br/>      log_configuration = optional(object({<br/>        cloud_watch_encryption_enabled = optional(bool)<br/>        cloud_watch_log_group_name     = optional(string)<br/>        s3_bucket_encryption_enabled   = optional(bool)<br/>        s3_bucket_name                 = optional(string)<br/>        s3_kms_key_id                  = optional(string)<br/>      }))<br/>      logging = optional(string, "OVERRIDE")<br/>    }))<br/>    managed_storage_configuration = optional(object({<br/>      fargate_ephemeral_storage_kms_key_id = optional(string)<br/>      kms_key_id                           = optional(string)<br/>    }))<br/>  })</pre> | <pre>{<br/>  "execute_command_configuration": {<br/>    "log_configuration": {<br/>      "cloud_watch_log_group_name": "placeholder"<br/>    }<br/>  }<br/>}</pre> | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | `bool` | `true` | no |
 | <a name="input_create_task_exec_iam_role"></a> [create\_task\_exec\_iam\_role](#input\_create\_task\_exec\_iam\_role) | Determines whether the ECS task definition IAM role should be created | `bool` | `false` | no |
 | <a name="input_create_task_exec_policy"></a> [create\_task\_exec\_policy](#input\_create\_task\_exec\_policy) | Determines whether the ECS task definition IAM policy should be created. This includes permissions included in AmazonECSTaskExecutionRolePolicy as well as access to secrets and SSM parameters | `bool` | `true` | no |
 | <a name="input_default_capacity_provider_use_fargate"></a> [default\_capacity\_provider\_use\_fargate](#input\_default\_capacity\_provider\_use\_fargate) | Determines whether to use Fargate or autoscaling for default capacity provider strategy | `bool` | `true` | no |
 | <a name="input_fargate_capacity_providers"></a> [fargate\_capacity\_providers](#input\_fargate\_capacity\_providers) | Map of Fargate capacity provider definitions to use for the cluster | `any` | `{}` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name of the cluster (up to 255 letters, numbers, hyphens, and underscores) | `string` | `""` | no |
+| <a name="input_service_connect_defaults"></a> [service\_connect\_defaults](#input\_service\_connect\_defaults) | Configures a default Service Connect namespace | <pre>object({<br/>    namespace = string<br/>  })</pre> | `null` | no |
+| <a name="input_settings"></a> [settings](#input\_settings) | List of configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster | <pre>list(object({<br/>    name  = string<br/>    value = string<br/>  }))</pre> | <pre>[<br/>  {<br/>    "name": "containerInsights",<br/>    "value": "enabled"<br/>  }<br/>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_task_exec_iam_role_description"></a> [task\_exec\_iam\_role\_description](#input\_task\_exec\_iam\_role\_description) | Description of the role | `string` | `null` | no |
 | <a name="input_task_exec_iam_role_name"></a> [task\_exec\_iam\_role\_name](#input\_task\_exec\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
diff --git a/modules/cluster/main.tf b/modules/cluster/main.tf
@@ -2,84 +2,58 @@
 # Cluster
 ################################################################################
 
-locals {
-  execute_command_configuration = {
-    logging = "OVERRIDE"
-    log_configuration = {
-      cloud_watch_log_group_name = try(aws_cloudwatch_log_group.this[0].name, null)
-    }
-  }
-}
-
 resource "aws_ecs_cluster" "this" {
   count = var.create ? 1 : 0
 
-  name = var.cluster_name
-
   dynamic "configuration" {
-    for_each = var.create_cloudwatch_log_group ? [var.cluster_configuration] : []
+    for_each = var.configuration != null ? [var.configuration] : []
 
     content {
       dynamic "execute_command_configuration" {
-        for_each = try([merge(local.execute_command_configuration, configuration.value.execute_command_configuration)], [{}])
+        for_each = configuration.value.execute_command_configuration != null ? [configuration.value.execute_command_configuration] : []
 
         content {
-          kms_key_id = try(execute_command_configuration.value.kms_key_id, null)
-          logging    = try(execute_command_configuration.value.logging, "DEFAULT")
+          kms_key_id = execute_command_configuration.value.kms_key_id
 
           dynamic "log_configuration" {
-            for_each = try([execute_command_configuration.value.log_configuration], [])
+            for_each = execute_command_configuration.value.log_configuration != null ? [execute_command_configuration.value.log_configuration] : []
 
             content {
-              cloud_watch_encryption_enabled = try(log_configuration.value.cloud_watch_encryption_enabled, null)
-              cloud_watch_log_group_name     = try(log_configuration.value.cloud_watch_log_group_name, null)
-              s3_bucket_name                 = try(log_configuration.value.s3_bucket_name, null)
-              s3_bucket_encryption_enabled   = try(log_configuration.value.s3_bucket_encryption_enabled, null)
-              s3_key_prefix                  = try(log_configuration.value.s3_key_prefix, null)
+              cloud_watch_encryption_enabled = log_configuration.value.cloud_watch_encryption_enabled
+              cloud_watch_log_group_name     = try(aws_cloudwatch_log_group.this[0].name, log_configuration.value.cloud_watch_log_group_name)
+              s3_bucket_encryption_enabled   = log_configuration.value.s3_bucket_encryption_enabled
+              s3_bucket_name                 = log_configuration.value.s3_bucket_name
+              s3_key_prefix                  = log_configuration.value.s3_key_prefix
             }
           }
+
+          logging = try(execute_command_configuration.value.logging, "DEFAULT")
         }
       }
-    }
-  }
 
-  dynamic "configuration" {
-    for_each = !var.create_cloudwatch_log_group && length(var.cluster_configuration) > 0 ? [var.cluster_configuration] : []
-
-    content {
-      dynamic "execute_command_configuration" {
-        for_each = try([configuration.value.execute_command_configuration], [{}])
+      dynamic "managed_storage_configuration" {
+        for_each = configuration.value.managed_storage_configuration != null ? [configuration.value.managed_storage_configuration] : []
 
         content {
-          kms_key_id = try(execute_command_configuration.value.kms_key_id, null)
-          logging    = try(execute_command_configuration.value.logging, "DEFAULT")
-
-          dynamic "log_configuration" {
-            for_each = try([execute_command_configuration.value.log_configuration], [])
-
-            content {
-              cloud_watch_encryption_enabled = try(log_configuration.value.cloud_watch_encryption_enabled, null)
-              cloud_watch_log_group_name     = try(log_configuration.value.cloud_watch_log_group_name, null)
-              s3_bucket_name                 = try(log_configuration.value.s3_bucket_name, null)
-              s3_bucket_encryption_enabled   = try(log_configuration.value.s3_bucket_encryption_enabled, null)
-              s3_key_prefix                  = try(log_configuration.value.s3_key_prefix, null)
-            }
-          }
+          fargate_ephemeral_storage_kms_key_id = managed_storage_configuration.value.fargate_ephemeral_storage_kms_key_id
+          kms_key_id                           = managed_storage_configuration.value.kms_key_id
         }
       }
     }
   }
 
+  name = var.name
+
   dynamic "service_connect_defaults" {
-    for_each = length(var.cluster_service_connect_defaults) > 0 ? [var.cluster_service_connect_defaults] : []
+    for_each = var.service_connect_defaults != null ? [var.service_connect_defaults] : []
 
     content {
       namespace = service_connect_defaults.value.namespace
     }
   }
 
   dynamic "setting" {
-    for_each = flatten([var.cluster_settings])
+    for_each = var.settings != null ? var.settings : []
 
     content {
       name  = setting.value.name
@@ -93,10 +67,11 @@ resource "aws_ecs_cluster" "this" {
 ################################################################################
 # CloudWatch Log Group
 ################################################################################
+
 resource "aws_cloudwatch_log_group" "this" {
   count = var.create && var.create_cloudwatch_log_group ? 1 : 0
 
-  name              = try(coalesce(var.cloudwatch_log_group_name, "/aws/ecs/${var.cluster_name}"), "")
+  name              = try(coalesce(var.cloudwatch_log_group_name, "/aws/ecs/${var.name}"), "")
   retention_in_days = var.cloudwatch_log_group_retention_in_days
   kms_key_id        = var.cloudwatch_log_group_kms_key_id
 
@@ -177,7 +152,7 @@ resource "aws_ecs_capacity_provider" "this" {
 ################################################################################
 
 locals {
-  task_exec_iam_role_name = try(coalesce(var.task_exec_iam_role_name, var.cluster_name), "")
+  task_exec_iam_role_name = try(coalesce(var.task_exec_iam_role_name, var.name), "")
 
   create_task_exec_iam_role = var.create && var.create_task_exec_iam_role
   create_task_exec_policy   = local.create_task_exec_iam_role && var.create_task_exec_policy
@@ -203,7 +178,7 @@ resource "aws_iam_role" "task_exec" {
   name        = var.task_exec_iam_role_use_name_prefix ? null : local.task_exec_iam_role_name
   name_prefix = var.task_exec_iam_role_use_name_prefix ? "${local.task_exec_iam_role_name}-" : null
   path        = var.task_exec_iam_role_path
-  description = coalesce(var.task_exec_iam_role_description, "Task execution role for ${var.cluster_name}")
+  description = coalesce(var.task_exec_iam_role_description, "Task execution role for ${var.name}")
 
   assume_role_policy    = data.aws_iam_policy_document.task_exec_assume[0].json
   permissions_boundary  = var.task_exec_iam_role_permissions_boundary
diff --git a/modules/cluster/variables.tf b/modules/cluster/variables.tf
@@ -14,21 +14,54 @@ variable "tags" {
 # Cluster
 ################################################################################
 
-variable "cluster_name" {
+variable "name" {
   description = "Name of the cluster (up to 255 letters, numbers, hyphens, and underscores)"
   type        = string
   default     = ""
 }
 
-variable "cluster_configuration" {
+variable "configuration" {
   description = "The execute command configuration for the cluster"
-  type        = any
-  default     = {}
+  type = object({
+    execute_command_configuration = optional(object({
+      kms_key_id = optional(string)
+      log_configuration = optional(object({
+        cloud_watch_encryption_enabled = optional(bool)
+        cloud_watch_log_group_name     = optional(string)
+        s3_bucket_encryption_enabled   = optional(bool)
+        s3_bucket_name                 = optional(string)
+        s3_kms_key_id                  = optional(string)
+      }))
+      logging = optional(string, "OVERRIDE")
+    }))
+    managed_storage_configuration = optional(object({
+      fargate_ephemeral_storage_kms_key_id = optional(string)
+      kms_key_id                           = optional(string)
+    }))
+  })
+  default = {
+    execute_command_configuration = {
+      log_configuration = {
+        cloud_watch_log_group_name = "placeholder" # will use CloudWatch log group created by module
+      }
+    }
+  }
+}
+
+variable "service_connect_defaults" {
+  description = "Configures a default Service Connect namespace"
+  type = object({
+    namespace = string
+  })
+  default = null
 }
 
-variable "cluster_settings" {
+variable "settings" {
   description = "List of configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster"
-  type        = any
+  type = list(object({
+    name  = string
+    value = string
+  }))
   default = [
     {
       name  = "containerInsights"
@@ -37,12 +70,6 @@ variable "cluster_settings" {
   ]
 }
 
-variable "cluster_service_connect_defaults" {
-  description = "Configures a default Service Connect namespace"
-  type        = map(string)
-  default     = {}
-}
-
 ################################################################################
 # CloudWatch Log Group
 ################################################################################
diff --git a/modules/service/main.tf b/modules/service/main.tf
@@ -231,7 +231,7 @@ resource "aws_ecs_service" "this" {
     for_each = var.volume_configuration != null ? [var.volume_configuration] : []
 
     content {
-      name = volume_configuration.value.name
+      name = try(volume_configuration.value.name, volume_configuration.key)
 
       dynamic "managed_ebs_volume" {
         for_each = [volume_configuration.value.managed_ebs_volume]
diff --git a/wrappers/cluster/main.tf b/wrappers/cluster/main.tf
@@ -8,21 +8,27 @@ module "wrapper" {
   cloudwatch_log_group_name              = try(each.value.cloudwatch_log_group_name, var.defaults.cloudwatch_log_group_name, null)
   cloudwatch_log_group_retention_in_days = try(each.value.cloudwatch_log_group_retention_in_days, var.defaults.cloudwatch_log_group_retention_in_days, 90)
   cloudwatch_log_group_tags              = try(each.value.cloudwatch_log_group_tags, var.defaults.cloudwatch_log_group_tags, {})
-  cluster_configuration                  = try(each.value.cluster_configuration, var.defaults.cluster_configuration, {})
-  cluster_name                           = try(each.value.cluster_name, var.defaults.cluster_name, "")
-  cluster_service_connect_defaults       = try(each.value.cluster_service_connect_defaults, var.defaults.cluster_service_connect_defaults, {})
-  cluster_settings = try(each.value.cluster_settings, var.defaults.cluster_settings, [
+  configuration = try(each.value.configuration, var.defaults.configuration, {
+    execute_command_configuration = {
+      log_configuration = {
+        cloud_watch_log_group_name = "placeholder"
+      }
+    }
+  })
+  create                                = try(each.value.create, var.defaults.create, true)
+  create_cloudwatch_log_group           = try(each.value.create_cloudwatch_log_group, var.defaults.create_cloudwatch_log_group, true)
+  create_task_exec_iam_role             = try(each.value.create_task_exec_iam_role, var.defaults.create_task_exec_iam_role, false)
+  create_task_exec_policy               = try(each.value.create_task_exec_policy, var.defaults.create_task_exec_policy, true)
+  default_capacity_provider_use_fargate = try(each.value.default_capacity_provider_use_fargate, var.defaults.default_capacity_provider_use_fargate, true)
+  fargate_capacity_providers            = try(each.value.fargate_capacity_providers, var.defaults.fargate_capacity_providers, {})
+  name                                  = try(each.value.name, var.defaults.name, "")
+  service_connect_defaults              = try(each.value.service_connect_defaults, var.defaults.service_connect_defaults, null)
+  settings = try(each.value.settings, var.defaults.settings, [
     {
       name  = "containerInsights"
       value = "enabled"
     }
   ])
-  create                                  = try(each.value.create, var.defaults.create, true)
-  create_cloudwatch_log_group             = try(each.value.create_cloudwatch_log_group, var.defaults.create_cloudwatch_log_group, true)
-  create_task_exec_iam_role               = try(each.value.create_task_exec_iam_role, var.defaults.create_task_exec_iam_role, false)
-  create_task_exec_policy                 = try(each.value.create_task_exec_policy, var.defaults.create_task_exec_policy, true)
-  default_capacity_provider_use_fargate   = try(each.value.default_capacity_provider_use_fargate, var.defaults.default_capacity_provider_use_fargate, true)
-  fargate_capacity_providers              = try(each.value.fargate_capacity_providers, var.defaults.fargate_capacity_providers, {})
   tags                                    = try(each.value.tags, var.defaults.tags, {})
   task_exec_iam_role_description          = try(each.value.task_exec_iam_role_description, var.defaults.task_exec_iam_role_description, null)
   task_exec_iam_role_name                 = try(each.value.task_exec_iam_role_name, var.defaults.task_exec_iam_role_name, null)
diff --git a/wrappers/service/main.tf b/wrappers/service/main.tf
